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Abstract. The method of simulations is an important technique for 
reasoning about real-time and other timing-based systems. It is adapted 
from an analogous method for untimed systems. This paper presents 
the simulation method in the context of a very general automaton (i.e., 
labelled transition system) model for timing-based systems. Sketches are 
presented of several typical examples for which the method has been used 
successfully. Other complementary tools are also described, in particular, 
invariants for safety proofs, progress functions for timing proofs, and 
execution correspondences for liveness proofs. 
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1 Introduction 

In the years that have elapsed since the REX workshop series began, a good 
deal has been learned about how to reason about real-time and other timing- 
based systems. In many cases, the methods that have been developed have been 
adaptations of methods that had previously been used for untimed systems. 

In this paper, I present a method that I have found useful for verifying proper- 
ties of timing-based systems: the method of simulations. This has been adapted 
from the simulation method that has been widely used for untimed systems. The 
simulation method falls into the general category of assertional techniques, and 
includes refinement mappings, forward and backward simulations, and history 
and prophecy mapping techniques as special cases. 

I illustrate how simulations can be used for timing-based systems by intro- 
ducing them in the context of a very general automaton (i.e., labelled transition 
system) model for such systems. I present sketches of a sizable collection of typ- 
ical examples for which the method has been used successfully. These examples 
include proofs of ordinary safety properties, as well as time bound properties. 
Along the way, I describe other complementary tools, most notably, invariants 
for safety proofs, progress functions for timing proofs, and execution correspon- 
dences for liveness proofs. 

In more detail, the paper proceeds as follows. In Section 2, 1 describe the very 
general and basic timed automaton model of Lynch and Vaandrager [26], and 
use it to model a simple bounded clock system. In Section 3, 1 express the various 
notions of simulations from the literature, together with their basic soundness 
properties, all in terms of the basic model. As an example, I describe a simple 
clock synchronization algorithm and show, using a refinement mapping, that it 
implements the bounded clock system. 

Next, I impose some useful structure on the model and simulations, and 
present several examples of simulation proofs that take advantage of this struc- 
ture. Specifically, in Section 4, I define an important special case of the general 
timed automaton model - the timed automaton model of Merritt, Modugno and 



Tuttle [29]. I use this model to describe Fischer's timing-based mutual exclusion 
algorithm [10], and to verify that the algorithm in fact satisfies the mutual ex- 
clusion property. Then in Section 5, I illustrate how simulations, in particular, 
forward simulations, can be used to prove time bounds as well as ordinary safety 
properties. I do this using five examples, including Fischer's and Dijkstra's mu- 
tual exclusion algorithms. All these examples are described using the special case 
model of Merritt et al. 

Section 6 indicates how liveness proofs can be integrated with the safety and 
time bound proofs, and Section 7 concludes with a discussion. 

2 The Basic Timed Automaton Model 

The basic model that I use for describing timing-based systems is the simple and 
very general model of Lynch and Vaandrager [26, 27, 41]. 1 This section contains 
the relevant definitions. 

2.1 Timed Automata 

A timed automaton A consists of: 

- a set states(A) of states; 

- a nonempty subset start(A) of start states; 

- a set acts(A) of actions, including a special time-passage action v; the actions 
are partitioned into external and internal actions, where v is considered 
external; the visible actions are the non-y external actions; the visible actions 
are partitioned into input and output actions; 

- a set steps(A) of steps (transitions); this is a subset of states{A) x acts(A) x 
states(A); 

- a mapping now a ■ states — ► R + . (R + denotes the nonnegative reals.) 

I write s' — ^m s as shorthand for (s',n,s) E steps(A). I usually write the 
s.nowA in place of nou;^(s). I sometimes suppress the subscript or argument A 
when no confusion seems likely. 

There are several simple axioms that a timed automaton is required to satisfy: 

[Al] If s E start then s.now = 0. 

[A2] If s' -^ s and 7r ^ v then s' .now = s.now. 

[A3] If s' -^-* s then s' .now < s.now. 

[A4] If s' -^ s" and s" -% s, then s' -*-> s. 

In order to state the last axiom, I need a preliminary definition of a trajectory, 
which describes restrictions on the state changes that can occur during time- 
passage. Namely, if / is any interval of R + , then an I-trajectory is a function 
w : I — > states, such that 



1 There are a few tiny technical distinctions among the definitions in the listed papers. 
The definitions I use here are restatements of those of [41], except that I classify 
external actions as input or output, allow named internal actions, and also correct 
an obvious omission in the trajectory axiom. 



1. w(t).now = t for all t E I, and 

2. w(ti) -Z-> w(t 2 ) for alUi,t 2 £ /with h<t 2 . 

That is, w assigns, to each time t in interval J, a state having the given time t 
as its now component. This assignment is done in such a way that time-passage 
steps can span between any pair of states in the range of w. If w is an /-trajectory 
and / is left-closed, then define w.ftime = min(I) and w.fstate — w(w.ftime), 
while if I is right-closed, then define w.ltime = max(I) and w.lstate — w(w.ltime). 
If / is a closed interval, then an /-trajectory w is said to span from state s' to 
state s if w.fstate = s' and w.lstate = s. The final axiom is: 

[A5] If s' -^ s then there exists a trajectory from s' to s. 

Axiom [Al] says that the current time is always in a start state. Axiom 
[A2] says that non-time-passage steps do not change the time; that is, they occur 
"instantaneously" , at a single point in time. Axiom [A3] says that time-passage 
steps must cause the time to increase; this is a convenient technical restriction. 
Axiom [A4] allows repeated time-passage steps to be combined into one step. 
Axiom [A5] is a kind of converse to [A4]; it says that any time-passage step can 
be "filled in" with states for each intervening time, in a "consistent" way. This 
axiom is a strengthening of a similar axiom used elsewhere which, rephrased in 
the terminology of this paper, reads: If s' -^-> s and s' .now < t < s.now, then 
there is an s" with s" '.now = t such that s' -^ s" and 5" -^ s. 

Note that this model is sufficiently general to allow description of hybrid 
systems [28], because it allows rather general changes to the state during time- 
passage steps. 

2.2 Timed Executions 

In this subsection, I define a notion of "timed execution" for a timed automaton. 
The most obvious formulation of a timed execution might be as a sequence of 
visible, internal and time-passage actions, interspersed with their intervening 
states. I augment this information slightly by including the trajectories for each 
time-passage action. 

Formally, a timed execution fragment is a finite or infinite alternating se- 
quence a = wottiWitt2W2 ■ • •, where: 

1. Each Wj is a trajectory and each ttj is a non-time-passage action. 

2. If a is a finite sequence, then it ends with a trajectory. 

3. If Wj is not the last trajectory in a then its domain is a closed interval. If 
Wj is the last trajectory then its domain is left-closed (and either right-open 
or right-closed). 

4. If Wj is not the last trajectory then Wj.lstate -^3 Wj+\.f state. 

The trajectories describe the changes of state during the time-passage steps. The 
last item says that the actions in a span between successive trajectories. 

A timed execution is a timed execution fragment for which the first state of 
the first trajectory, wq, is a start state. In this paper, I am mainly interested 
in a particular subclass of the set of timed executions: the admissible timed 



executions. These are defined to be the timed executions in which the supremum 
of the set of now values occurring in the states is oo. 

A state of a timed automaton is denned to be reachable if it is the final state 
of the final trajectory in some finite timed execution of the automaton. 

Note that, as I have described them so far, timed automata have no features 
for expressing liveness or fairness properties (with the exception of admissibility) . 
In general, such features are less important in the timed setting than they are in 
the untimed setting, since they are often replaced by time bound requirements. 
However, in Section 6, I will say more about how liveness can be added in. 

Note that there exist timed automata that have no admissible timed execu- 
tions. To rule out this case, one generally restricts attention to timed automata 
that are feasible, i.e., in which each "finite" timed execution can be extended 
to an admissible timed execution. I will not address issues of feasibility in this 
paper; for a discussion of feasibility, I refer the reader to [12]. 

2.3 Timed Traces 

In order to describe the problems to be solved by timed automata, I require a 
definition for their visible behavior. I use the notion of timed traces. The timed 
trace of any timed execution is just the sequence of visible events that occur in 
the timed execution, paired with their times of occurrence. The admissible timed 
traces of the timed automaton are just the timed traces that arise from all the 
admissible timed executions. If a problem P is formulated as a set of (finite and 
infinite) sequences of actions paired with times, then a timed automaton A is 
said to solve P if all its admissible timed traces are in P. Often, it is natural 
to express a problem P as the set of admissible timed traces of another timed 
automaton B. Thus, the notion of admissible timed traces induces a preorder 
on timed automata: A < B is defined to mean that the set of admissible timed 
traces of A is a subset of the set of admissible timed traces of B. 



2.4 Discrete Executions 

Sometimes it is useful in proofs about timed automata to use another notion of 
execution, one that omits the trajectory information in favor of just recording 
time-passage steps. I define a discrete execution fragment of a timed automaton 
to be a finite or infinite alternating sequence a = so7riSi7r 2 .S2 ■ ■ •, where: 

1. Each Sj is a state and each ttj is an action (possibly a time-passage action). 

2. If a is a finite sequence, then it ends with a state. 

3. If Sj is not the last state then Sj*- 2 ^ s J+ i. 

A discrete execution is a discrete execution fragment whose first state is a start 
state. Again, I am mainly interested in the admissible discrete executions - those 
in which the supremum of the now values occurring in the states is oo. Note that 
any admissible discrete execution must be an infinite sequence. 



The timed trace of an admissible discrete execution is the sequence of visible 
events that occur in the execution, paired with their times of occurrence, i.e., 
the now values in the preceding states. 

An admissible discrete execution a is said to sample an admissible timed exe- 
cution a' if its sequence of actions consists of exactly the actions of a', occurring 
at the same times, interspersed with time-passage actions; several consecutive 
time-passage actions can be used to span a trajectory. The states appearing in 
a must be extracted in the natural way from the trajectories in a'. 

Lemma 1. If a' is an admissible timed execution then there exists an admissible 
discrete execution a that samples it. Conversely, if a is an admissible discrete 
execution, then there exists an admissible timed execution a' such that a samples 
a'. 

Lemma 2. If a samples a', then the timed trace of a is the same as that of a' . 

Lemma 3. A state of a timed automaton is reachable exactly if it is the final 
state of some finite discrete execution. 

These definitions and relationships are presented in detail in [26]. 



2.5 Composition 

I define a simple binary parallel composition operator for timed automata. Let 
A and B be timed automata satisfying the following compatibility conditions: 

1. A and B have no output actions in common. 

2. No internal action of A is an action of B, and vice versa. 

Then the composition of A and B, written as Ax B, is the timed automaton 
defined as follows. 

- states(A x B) = {(sa,sb) G states(A) x states(B) : SA-nowA = SB-nows}; 

- start(A x B) = start(A) x start(B); 

- acts(A x B) = acts(A) U acts(B); an action is external in A x B exactly if 
it is external in either A or B, and likewise for internal actions; a visible 
action of A x B is an output in A x B exactly if it is an output in either A 
or B, and is an input otherwise; 

- ( s 'a' s 'b) — UxB (sa,s b ) exactly if 

1. s' A —^a sa if 7r G acts(A), else s' A = sa, and 

2. s' B —^b sb if 7r G acts(B), else s' B = sb\ 

~ {SA,S B ).n0W A xB = SA-nOWA- 

It is not hard to show that A x B is indeed a timed automaton, and that the par- 
allel composition operator is substitutive for the admissible timed trace inclusion 
ordering, <, on timed automata. 



2.6 Example: Bounded Clock System 

I close this section with a simple example of a timed automaton. This example 
is adapted from [38]. It is a fairly standard-looking description of a clock system, 
consisting of a collection of "local clocks" , each of whose values is always within 
a bound e of real time. The automaton simply maintains this property, while 
permitting real time to pass. 

In the given code, the state is described in a structured fashion, as a col- 
lection of values for a collection of state components. Likewise, the start state 
is described as a collection of initial values for the components. The actions 
are listed explicitly. The steps are described in a guarded command style, orga- 
nized by actions (including the time-passage action), each with a "precondition" 
(guard) describing conditions on the state that enable the action to occur, and 
an "effect" describing the state changes that accompany the action. The time- 
passage action v is parameterized with an incremental time At, describing the 
amount of time that passes. The now component appears as an explicit state 
component. 

Let / be a nonempty, finite set of node indices. 

Automaton B: Bounded Clock System 

Actions: 

Output: 

report ^(c), i E. I 
Internal: 

ticki(c), i £ I 

State components: 

now € R + , initially 

clocki E R + , i £ I, initially 



ticki(c) report ; (c) 

Precondition: Precondition: 

c > clocki c = clocki 

\c — now\ < e Effect: 

Effect: none 

clocki := c 

v{At) 

Precondition: 

t = now + At 

for all i, \t — clocki\ < e 
Effect: 

now :— t 

Thus, any local clock is allowed to "tick" (i.e., advance to a new specified 
value c) if the new value is at least as big as the old value, and is within e of real 



time. Moreover, real time is allowed to pass, as long as it remains within e of all 
the local clock values. Finally, any current local clock value can be reported at 
any time. The following lemma captures the key synchronization property. 

Lemma 4. The following is true of every reachable state of B: 
For all i, \clocki — now\ < e. 

Proof. In view of Lemma 3, it suffices to prove the property for all states that 
occur as final states of finite discrete executions of B. The proof proceeds by 
induction on the number of actions in a finite discrete execution. Correctness 
follows from the explicit checks performed by the tick and v actions. O 

Consider the admissible timed executions of B - those in which the time 
components of the states approach infinity. In order for time to pass to infinity, 
it is necessary that the clocks all tick infinitely often (and by an appropriate 
amount) so they can stay close to real time. The report actions are optional. 

It is not hard to see that timed automaton B is feasible. For, starting from any 
finite timed execution of B, it is not hard to construct a sequence of synchronized 
clock ticks and time-passage actions that allows time to pass to infinity. 

Clock B is discrete, in the sense that the increases in the values of the various 
clocks all happen in discrete fa'cfc's. It is also possible to define a corresponding 
continuous clock within the same model. Such a clock would eliminate the tick 
actions, and would instead allows continuous increases in the values of the local 
clocks, as part of time-passage steps. Such clocks are described in [5]. 

2.7 Discussion 

In [41], parallel composition and several other useful operations on timed au- 
tomata are denned. These include standard "untimed operations" such as hid- 
ing, renaming, internal and external choice, sequential composition, and the CSP 
interrupt operator [13] (i.e., A and B are both started; if B performs a visible 
action then A is interrupted and B continues to run). They also include some 
"timed operations" such as the timed CSP timeout [6, 35] (i.e., A is started; if A 
does not perform a visible action by real time d, then A is interrupted and B is 
started), and the ATP execution delay operator [31]. The admissible timed trace 
inclusion relation (more precisely, a variant of it that includes certain kinds of 
"finite timed traces" as well) is shown to be substitutive with respect to all of 
these operations. 

3 Simulations for Timed Automata 

In this section, I introduce the basic types of simulations that can be used for 
proving properties of systems described as timed automata. Simulation methods 
are just a few among many possible formal tools for reasoning about systems 
expressed as timed automata, but they are among the most powerful for proving 
safety properties. 



The value of the simulation method for verifying safety properties of untimed 
systems is now well established. Many papers and books, e.g., [3,15,19,21,23, 
32,38,42], contain substantial examples of its use. Also see [14] for a persuasive 
discussion of the value of the technique. The use of this method for timed systems 
is much newer, but appears very promising. Preliminary results appear in [20, 38]. 

3.1 Simulations 

In this subsection, I define the basic types of simulations: refinements, forward 
simulations, and backward simulations, for timed automata. These definitions are 
paraphrased from [26,27]. 2 As described in [25-27], they are all straightforward 
extensions of similar definitions for untimed automata. 

Suppose A and B are timed automata. A refinement from A to B is a function 
r : states(A) — ► states(B) that satisfies: 

1. r(s).now = s.now. 

2. If s G start(A) then r(s) G start(B). 

3. If s' —^a s then there is a timed execution fragment from r(s') to r(s) 
having the same sequence of timed visible actions (that is, the same sequence 
of visible actions, with the same associated times) as the given step. 

Note that n is allowed to be the time-passage action in the third item of this 
definition; the same is true in the succeeding definitions. 

In the following definitions, I use the notation r[s], where r is a binary rela- 
tion, to denote {u : (s,u) £ r}. 

A forward simulation from A to B is a relation / over states(A) and states(B) 
that satisfies: 

1. If u G f[s] then u.now = s.now. 

2. If s E start(A) then f[s] n start(B) ^ 0. 

3. If s' —^a s and u' G f[s'], then there exists u G f[s] such that there is a 
timed execution fragment from u' to u having the same sequence of timed 
visible actions as the given step. 

A backward simulation from A to B is a total relation b over states(A) and 
states(B) that satisfies: 

1. If u G b[s] then u.now — s.now. 

2. If 5 € start(A) then b[s] C start{B). 

3. If s' —^a s and u 6 b[s], then there exists u' G b[s'] such that there is a 
timed execution fragment from u' to u having the same sequence of timed 
visible actions as the given step. 

A backward simulation is said to be image-finite provided that b[s] is a finite set 
for every state s of A. Note that every refinement is a forward simulation, and 
is also an image-finite backward simulation. 



2 In the earlier papers, they are called "timed refinements", etc. Here I omit the 
adjective "timed" for brevity. 



I write A <r B, A <p B and A <b B to denote the existence of a refinement, 
forward simulation, or backward simulation from A to B, respectively. Also, I 
write A <;b B to denote the existence of an image-finite backward simulation 
from A to B. 

The most important fact about these simulations is captured by a set of 
results saying that they are sound for admissible timed trace inclusion. More 
specifically: 

Theorem 5 (Soundness). A <r B, A <y B and A <iB B all imply that 
A<B. 

Note that A <b B does not by itself imply admissible timed trace inclusion; 
a weaker soundness result, involving inclusion of sets of "finite timed traces", 
does hold in this case. 

The soundness results are all proved in [26,27], based on corresponding re- 
sults for untimed automata. For untimed automata, the first two are proved by 
induction on the number of steps in an execution, while the last is proved by 
a backwards induction together with Konig's Lemma. Alternatively, the timed 
results can be proved directly by such inductions and Konig's Lemma, but the 
proof is best done using the "discretized" version of a timed execution mentioned 
earlier, which includes discrete time-passage steps rather than trajectories. 

Another important fact about these simulations is a completeness result, also 
proved in [26, 27], for the methods used in combination. Namely, define a timed 
automaton to have finite invisible nondeterminism if, for every sequence of timed 
visible actions and every real time t, there are only finitely many states that can 
result from finite timed executions that generate the given sequence of timed 
visible actions and have t as the final time. 

Theorem 6 (Completeness). If A < B and B has finite invisible nondeter- 
minism then there exists a timed automaton C such that A <f C <;b B. 

3.2 Invariants and Weak Simulations 

In using the simulation methods for actual proofs, the first thing that one usually 
wants to do is to divide the work of the proof, by first proving some invariants 
about either or both of the two automata involved. The use of such invariants 
must be justified; doing this requires augmenting the simulation definitions and 
soundness results to incorporate the invariants explicitly. In this subsection, I 
describe this extension. 

For the purposes of this paper, I define an invariant of a timed automaton to 
be any property that is true of all reachable states; I do not make the assump- 
tion sometimes made elsewhere, that it is actually preserved by all steps of the 
automaton. 

I call the newly-defined simulations weak refinements, weak forward simula- 
tions, etc., since (in most cases) they have fewer proof obligations. 

A weak refinement from A to B with respect to invariants I a and Is (of A 
and B, respectively) is a function r : states(A) — » states(B) that satisfies: 



1. r(s).now = s.now. 

2. If 5 € start(A) then r(s) € start(B). 

3. If s' —^a s, {s',s} C I A , and r(s') G Ib, then there is a timed execution 
fragment from r(s') to r(s) having the same timed visible actions as the 
given step. 

A weak forward simulation from A to B with respect to I a and Ig is a 
relation / over states(A) and states(B) that satisfies: 

1. If u € /[s] then u.now = s.now. 

2. If s e start(A) then /[s] n start(B) ^ 0. 

3. Ifs'-^M s, {s',s} C 7 A , and u' £ /[s']n/ fl , then there exists w £ /[s] such 
that there is a timed execution fragment from u' to w having the same timed 
visible actions as the given step. 

A weak backward simulation from A to B with respect to Ia and Ib is a 
relation 6 over staies(yl) and states(B) that satisfies: 

1. If u £ 6[s] then u.now = s.now. 

2. If s 6 sfort(yl) then 6[s] n I B Q start(B). 

3. If s' -^a s, {s\ s} C J A , and u £ b[s] n /b, then there exists u' e 6[s'] n I B 
such that there is a timed execution fragment from u' to u having the same 
timed visible actions as the given step. 

4. If 5 £ I A then b[s] n I B ± 0. 

A weak backward simulation is said to be image-finite provided that b[s] is a 
finite set for every state s of A. 

Each of these three new definitions says that it is permissible to use the in- 
variants on all the hypothesized states, in proving the existence of the required 
timed execution fragment. Note that in the case of a backward simulation, there 
is an extra proof obligation - to show that the invariant for B gets preserved 
"in reverse" . In this sense, it is not strictly correct to say the notion of a weak 
backward simulation is "weaker" than the original notion of a backward simula- 
tion. Every weak refinement is a weak forward simulation, but not necessarily a 
weak backward simulation. 

I extend the notation defined earlier, writing A <wr B, A <wf B, A <wb 
B, and A <w;b B to denote that there exists a weak refinement, weak forward 
simulation, weak backward simulation, or weak image-finite backward simula- 
tion, from A to B, respectively, with respect to some invariants. The extended 
soundness results are: 

Theorem 7 (Soundness). A < W R B, A < W F B and A < W iB B all imply that 
A<B. 

3.3 Example: Clock Synchronization Algorithm 

In this subsection, I describe a very simple implementation (in the sense of the 
< preorder) of the bounded clock system B (where \I\ = 2, i.e., the system 



has two nodes). The algorithm consists of two nodes connected by a one-way 
channel, with message delay in the known range [0,d\. Node 1 maintains its 
own local clock, assumed always to be within 6 of real time. Node 1 informs 
node 2 whenever its own clock changes, and node 2 simply adopts the maximum 
clock value it has seen as its own. Although it would probably be most natural 
to model this algorithm as the composition of three timed automata (the two 
nodes and the channel), for brevity, I just model it as a single timed automaton 
A. 

Automaton A: Clock Synchronization Algorithm 

Actions: 

Output: 

report {(c), i £ {1,2} 
Internal: 

ticki(c) 

deliver(c) 

State components: 

now £ R + , initially 

clocki e R+, i G {1,2}, initially 

channel, a multiset of R + x R + , initially empty 



tick\[c) 


w(At) 


Precondition: 


Precondition: 


c > clocki 


t = now + At 


\c — now] < 8 


\t — clocki\ < 6 


Effect: 


for all (c, v) 6 channel, t < v 


clocki '■= c 


Effect: 


add (c, now + d) to channel 


now :— t 


deliver (c) 


report ; (c) 


Precondition: 


Precondition: 


(c, v) £ channel 


c = clocki 


Effect: 


Effect: 


remove (c, v) from channel 


none 


clock2 '■= max (clock <i, c) 





The tick action for node 1 is just like the tick actions of B, except that, in 
addition to just updating the local clock, it also causes a copy of the new clock 
value to be put into the channel. The second component v of the message that 
is put into the channel represents a real time by which that message is supposed 
to get delivered to node 2. Note that this second component is not a "normal" 
component of the algorithm; it is only introduced in order to encode a real-time 
restriction on the algorithm's behavior. This strategy - representing a real-time 



deadline by an explicit deadline component in the state - is a frequently-used 
technical device in defining timed automata. 

The deliver action causes node 2 to reset its clock to the newly received value 
(provided that the new value is not less than the old value). Now the time-passage 
action is required explicitly to maintain the appropriate relationship with clock 
1, but there is no direct requirement that it remain close to clock 2. However, 
there is a new constraint on real time: time is constrained not to pass beyond 
the scheduled last delivery time for any message in the channel. The reports are 
as in B. 

I claim that, provided that e > 6 + d, this algorithm A "implements" system 
B, in the sense that A < B (inclusion of sets of admissible timed traces). To 
show this, I use a trivial weak refinement, r, defined as follows. Here, record 
notation is used to indicate state components. 

— r(s).now = s.now. 

— r(s).clocki = s.clocki, i £ {1, 2}. 

In order to show that r is a weak refinement, some invariants are helpful. 
Specifically, I a is defined to be the set of states of A in which now — e < 
clocks < now + 6 and now — 6< clocki < now + 6. Ib is defined to be the set of 
all states of B - no particular properties of B will be needed in the proof. I now 
prove that I a holds of all reachable states of A; this requires a series of simple 
lemmas. 

Lemma 8. The following is true of every reachable state of A: 
\clock\ — now\ < 6. 

Proof. By induction on the number of actions in a discrete execution, using the 
explicit checks in the tick\ and v actions. □ 

Lemma 9. The following are true of every reachable state of A: 



1. If (c,v) £ channel then c < clocki. 

2. clocks < clocki. 

3. clocks < now + 8. 

Proof. The first two parts are by an easy induction. The last part follows from 
the second part and Lemma 8. □ 

It remains to prove that now — e < clock?,, i.e., that clock? does not lag too 
far behind real time. In order to prove this, I prove several intermediate lemmas. 
The next lemma asserts that the value of clocki is in fact communicated to node 
2. 

Lemma 10. The following is true of every reachable state of A: 

Either clock? = clocki or there is some (c,v) £ channel such that c — clock\. 



The next lemma says that every message in the channel is scheduled to be 
delivered at most time d in the future. 

Lemma 11. The following is true of every reachable state of A: 
If {c,v) G channel then now < v < now + d. 

The following is the key lemma. It implies that, for < / < d, the value that 
clock2 will have / time units from now is at least now — 6—(d—l) > now — e + l. 
The lemma explicitly describes the smallest value that clocks can take on, in 
terms of the current value of clock2 and the messages that are guaranteed to be 
delivered strictly before time / from now. 3 

Lemma 12. The following is true of every reachable state of A: 

For any I, < I < d, either clock 2 > now - 6 — (d — I) or there is some 

(c, v) G channel such that c > now — 6 — (d — I) and v < now + I. 

Proof. By induction on the number of actions in a discrete execution. The inter- 
esting case is the time-passage action v. Suppose that v increases the time from 
t' to t — t' + At, while allowing the state to change from s' to s. Fix 1,0 < I < d. 
There are two cases: 

1. At + l < d. 

Then let V = I + At; then < I' < d. By inductive hypothesis, either 
s 1 .clock 2 > t' — 6 — (d — I') or there is some (c, v) G s'. channel such that 
c > t' - 8 - {d - 1') and v < t' + 1'. But t + 1 = t' + 1', and so t - 6 - {d - 1) = 
t'-S-(d-l'). Moreover, s.clock 2 = s' .clocks. So either s. clock 2 > t—6—(d—l) 
or there is some (c, v) G s. channel such that c > t — 6 — (d — I) and v < t + l. 
This is as needed. 

2. At + l> d. 

The definition for u says that s.clock\ = s' .clock 1 > t — 6. Then Lemma 
10 implies that either s.clock2 = s.clocki > t — 6 or there is some (c, v) G 
s. channel such that c = s.clocki > t — 6. The first of these alternatives 
suffices for the lemma. In the latter case, it must be that v < t' + d, by 
Lemma 11. By the defining condition of this case, this implies that v < t + l. 
This suffices. 

□ 

Lemma 13. The following is true of every reachable state of A: 
now — e < clock2- 

Proof. By Lemma 12, for / = 0, it must be that in any reachable state, either 
clock2 > now — 8 — d > now — e or there is some (c, v) G channel such that 
c > now — 8 — d and v < now. But the latter is impossible, by Lemma 11. So 
the former holds, which is as needed. □ 



Note that the model allows for several actions to occur at the same real time. This 
makes it necessary to be especially careful about strict vs. non-strict inequalities. 



This proves I a- It still remains to show that r is a weak forward simulation 
with respect to invariants I a and Is- Fortunately, for this case, proving the 
invariants has already accomplished most of the work. 

Lemma 14. r is a weak refinement from A to B, with respect to invariants I a 
and Ib- 

Proof. The time condition and start condition are easy to see; it remains to show 
the step condition, Condition 3. Suppose s' — ^*a s, s',s E Ia, r ( s ') £ Ib- The 
proof is by cases: 

1. it — ticki(c) 

ticki{c) 
Then I claim that r(s') — >b t{s). This is straightforward because S < e - 

the precondition for tick\(c) in A is at least as strong as in B. 

2. it — deliver(c), c > s'. clock? 

tick 2 (c) 
Then I claim that r(s') — >b r(s). Since 5 G Ia, it must be that \s.clock 2 - 

s.now\ < e. But s.clock2 = c, by the effect of the deliver(c) action. Also, 

s' .now = s.now. So \c - s'.now\ < e. Thus, the precondition of the tickle) 

action in B holds. The effect clearly corresponds. 

3. 7r = deliver(c), c < s 1 .clock 2 
Then r(s') — r(s), which suffices. 

4. 7r = report { (c) 

report ^c) 
Then it is straightforward to show that r(s') — >b r i s )- 

5. 7r = v, increasing by At. 

Then I claim that r(s')— ^>b r(s). Define t = s'.now + At. The precondition 
of 7r in A implies that \t - s 1 .clock i| < 8 < e. Since s £ Ia, it follows that 
\s.cl0ck2 — s.now\ < e. But t = s.now and s.clock? = s'. clock?, so that 
\t - s'.clock 2 \ < e. This yields the precondition for v(At) in B. The effect 
corresponds. 

□ 

This proves the following theorem. 

Theorem 15. Let A be the clock synchronization algorithm and B the bounded 
clock system. Then A <wr B, and therefore A < B. 

This example showed a simple weak refinement. For an example of a weak 
forward simulation, consider A', which is defined to be the same system as A, 
but instead of sending the full clock values, node 1 just send the "low-order bits" . 
More precisely, in place of sending c, node 1 sends c' = c mod 7, for some fixed 7 
such that 7 > 2e + 2<5. (I use the notation c mod 7 to denote the remainder when 
c is divided by 7, i.e., c/7 - L c /tJ -) The second component, v, of each message, 
is still allowed to be an unbounded time, because it does not represent an actual 
component to be included in the message, but rather just a conceptual real-time 
deadline. 



The key idea is that from any state s of algorithm A, the range of c values 
that might arrive at node 2 in a deliver step in algorithm A is [s.clock2 — e — 
6, s. clocks +e + 6]. Thus, node 2 can correctly decode an arriving condensed clock 
value c' into the unique clock value c in the given range such that d — c mod 7, 
and sets clock? to max (clock 2, c). 

In more detail, the modified actions are as follows. Here, the decode is defined 
to be the partial function such that decode(c,d) is the (unique) value c' 6 [d — 
e — 6, d + e + 6] such that c = c' mod 7, if one exists, else undefined. 

tick\(c) 

Precondition: 

c > clock 1 

\c — now\ < 6 
Effect: 

clocki := c 

add (c mod 7, now + d) to channel 

deliver (c) 

Precondition: 

(c, v) £ channel 

Effect: 

remove (c, u) from channel 

clocks := max(clock2, decode(c, clock2)) 

There is a (multivalued) forward simulation from A' to A, defined by (s,u) 6 
/ if and only if all state components are the same in s and u, with the follow- 
ing exception. For each message (c, v) in u. channel, the corresponding message 
(c mod 7, v) appears in s. channel. Correctness of this simulation rests on first 
proving the invariant for A that all clock values appearing in messages in the 
channel are in the indicated interval; this follows in turn from the claim that 
clock? and all the clocks in the channel are in the interval [now — e, now + 6]. 

This example shows a typical use for forward simulations - describing an 
optimized version of an algorithm in terms of a simple, less efficient original ver- 
sion. In such a case, the correspondence generally needs to be multi- valued, since 
the original algorithm typically contains more information than the optimized 
version. 

I do not have a related example to show here of a backward simulation. In 
fact, it seems hard to find practical examples where backward simulations are 
needed. They arise in situations where a choice is made earlier in the specification 
automaton than in the implementation automaton. I will not mention backward 
simulations any further in this paper; all the remaining examples will involve 
forward simulations only. 

4 A Specialized Model 

So far, I have presented the basic concepts for simulation proofs in the setting 
of a very general timed automaton model. But when one carries out interesting 



verifications, it is often the case that the implementation and/or specification 
has some specialized structure that can help to "stylize" the proofs. Next I will 
describe a special case of the general timed automaton model that I have found 
to be suitable for describing most implementations, and many specifications as 
well. 



4.1 MMT Automata 

The specialized model is based on one defined by Merritt, Modugno and Tuttle 
[29], hence I call it the MMT automaton model. An MMT automaton is basically 
an I/O automaton [23, 24] together with some upper and lower bounds on time. 
An I/O automaton A consists of 

- a set states(A) of states; 

- a nonempty subset start(A) of start states; 

- a set acts(A) of actions, partitioned into external and internal actions; the 
external actions are further partitioned into input and output actions; 

- a set steps(A) of steps; this is a subset of states(A) x acts(A) x states(A); 

- a partition part(A) of the locally controlled (i.e., output and internal) actions 
into at most countably many equivalence classes. 

An action 7r is said to be enabled in a state s' provided that there exists a state 
s such that (s',ir,s) 6 steps(A), i.e., such that s—^ A s. A set of actions is said 
to be enabled in s' provided that at least one action in that set is enabled in s'. 
It is required that the automaton be input-enabled, by which is meant that n is 
enabled in s' for every state s' and input action ir. Note that there is no explicit 
time-passage action. The final component, part, is sometimes called the fairness 
partition. Each class in this partition groups together actions that are supposed 
to be part of the same "task". Fair executions are defined in such a way as to 
allow "fair turns" to each class of the partition. That is, for each partition class 
C, either (a) the execution is finite and ends in a state in which C is not enabled, 
or (b) the execution is infinite and either contains infinitely many C actions or 
infinitely many states in which C is not enabled. The I/O automaton model 
is a simple, yet rather expressive model for asynchronous concurrent systems. 
Typical examples of its use in describing and reasoning about such systems 
appear in [22]. 

The I/O automaton model, however, does not have any facilities for describ- 
ing timing-based systems. An MMT automaton is obtained by augmenting an 
I/O automaton with certain upper and lower time bound information. In this 
paper, I use a special case of the MMT model that is described formally in [20]. 
Namely, let A be an I/O automaton with only finitely many partition classes. 
For each class C, define lower and upper time bounds, lower(C) and upper{C), 
where < lower < oo and < upper (C) < oo; that is, the lower bounds cannot 
be infinite and the upper bounds cannot be 0. 

A timed execution of an MMT automaton A is defined to be an alternating 
sequence of the form sq, (7Ti, h), si, • • • where now the 7r's are input, output or 



internal actions. For each j, it must be that Sj - 2± i Sj+\. The successive times 
are nondecreasing, and are required to satisfy the given lower and upper bound 
requirements. More specifically, define j to be an initial index for a class C 
provided that C is enabled in Sj, and either j = 0, or else C is not enabled in 
Sj-i, or else itj € C; initial indices are the points at which the bounds for C 
begin to be measured. Then for every initial index j for a class C, the following 
conditions must hold: 

1. (Upper bound) 

If upper ^ oo, then there exists k > j with tk < tj + upper(C) such that 
either 70t 6 C or C is not enabled in Sk- 

2. (Lower bound) 

There does not exist k > j with tk < tj + lower(C) and 7rjt 6 C. 

Note that an upper bound of oo does not impose any requirement that actions 
in the corresponding class ever occur. Finally, admissibility is required: if the se- 
quence is infinite, then the times of actions approach oo. More formal statements 
of these conditions appear in [20] . 

Each timed execution of an MMT automaton A gives rise to a timed trace, 
which is just the subsequence of external actions and their associated times. The 
admissible timed traces of the MMT automaton A are just the timed traces that 
arise from all the timed executions of A. 

MMT automata can be composed in much the same way as ordinary I/O 
automata, using synchronization on common actions. More specifically, define 
two MMT automata A and B to be compatible according to the same definition 
of compatibility for general timed automata. Then the composition of the two 
automata is the MMT automaton consisting of the I/O automaton that is the 
composition of the two component I/O automata (according to the definition of 
composition in [23,24]), together with the bounds arising from the components. 
This composition operator is substitutive for the admissible timed trace inclusion 
ordering on MMT automata. 

The MMT model just described is useful for describing many real-time sys- 
tems. It is especially good as a low-level model for computer systems, since the 
class structure and associated time bounds are natural ways of modelling phys- 
ical components and their speeds. However, it cannot be used for describing 
hybrid systems, in which state changes can accompany time-passage actions. 
Also, the MMT model does not appear to be general enough to provide a good 
model for arbitrary specifications or high-level system descriptions. For exam- 
ple, the model does not seem to be appropriate for describing the bounded clock 
system in Section 2.6. 

Note that MMT automata, as presented so far, are not exactly a special case 
of the general (Lynch- Vaandrager) timed automata I described earlier. This is 
because the MMT model uses an "external" way of specifying the time bound re- 
strictions, via the added lower and upper bounds. The Lynch- Vaandrager model, 
in contrast, builds the time-bound restrictions explicitly into the time-passage 
steps. However, it is not hard to transform any MMT automaton A into a 



naturally-corresponding Lynch- Vaandrager timed automaton A'. This can be 
done using a construction similar to the one in Section 3 of [20], as follows. 

First, the state of the MMT automaton A is augmented with a now com- 
ponent, plus first(C) and last(C) components for each class. The first(C) and 
last(C) components represent, respectively, the earliest and latest time in the 
future that an action in class C is allowed to occur. The rest of the state is 
called basic. The now, first and last components all take on values that rep- 
resent absolute times, not incremental times. The time-passage action v is also 
added. 

The first and last components get updated in the natural way by the various 
steps, according to the lower and upper bounds specified in the MMT automaton 
A. The time-passage action has explicit preconditions saying that time cannot 
pass beyond any of the last(C) values, since these represent deadlines for the 
various tasks. Note that this usage of the last(C) components as deadlines is 
similar to the usage of deadline components in messages in the clock synchro- 
nization algorithm above. Restrictions are also added on actions in any class C, 
saying that the current time now must be at least equal to first(C). 

In more detail, each state of A' is a record consisting of a component basic, 
which is a state of A, a component now 6 R + , and, for each class C of A, 
components first(C) and last(C), each in R + U {oo}. Each start state s of A' 
has s. basic £ start(A), and s.now = 0. Also, if C is enabled in s. basic, then 
s.first(C) = lower(C) and s.last(C) = upper(C); otherwise s.first(C) — and 
s.last(C) = oo. The actions of A' are the same as those of A, with the addition 
of the time-passage action v. Each non-time-passage action is classified as an 
input, output or internal action according to its classification in A. 

The steps are defined as follows. If 7r € acts(A), then s' — ^a 1 s exactly if all 
the following conditions hold: 

1. s' .now = s.now. 

2. s'. basic— ^ a s. basic. 

3. For each C E part(A): 

(a) If 7r G C then s' .first(C) < s' .now. 

(b) If C is enabled in both s and s', and -k ^ C, then s.first(C) = s'.first(C) 
and s.last(C) = s'.last(C). 

(c) If C is enabled in s and either C is not enabled in s' or ir 6 C then 
s.first(C) = s' .now + lower(C) and s.last(C) = s' .now + upper(C). 

(d) If C is not enabled in s then s.first(C) = and s.last(C) = oo. 

On the other hand, Utt = u, then s' — ^*a> s exactly if all the following conditions 
hold: 

1. s' .now < s.now. 

2. s. basic = s'. basic. 

3. For each C € part(A): 

(a) s.now < s'.last(C). 

(b) s.first(C) = s'.first(C) and s.last{C) = s'.last(C). 



The resulting timed automaton A' has exactly the same admissible timed 
traces as the MMT automaton A. Moreover, this transformation commutes with 
the operation of composition, up to isomorphism. From now on in this paper, 
I will often refer to an MMT timed automaton and to its transformed version 
interchangeably, relying on the context to distinguish them. 

Suppose that two MMT automata are given, one (A) describing an imple- 
mentation and the other (B) describing a specification. Then by regarding both 
A and B as timed automata, it is possible to use the simulation techniques de- 
fined in Section 3 to show that A implements B (in the sense of admissible timed 
trace inclusion). 

4.2 Example: Fischer's Mutual Exclusion Algorithm 

In this subsection, I use MMT automata to model a simple algorithm - the well- 
known Fischer mutual exclusion algorithm using read- write shared memory [10]. 
This algorithm has become a standard example for demonstrating the power 
of formal methods for reasoning about real-time systems. It can be verified in 
several ways, but to fit it into this paper, I express the proof as a simulation. 

The most important correctness property of this algorithm is mutual ex- 
clusion. Other properties may also be of interest, for example, a time bound 
property, limiting the time that it takes from when anyone requests the resource 
until someone gets it, and a liveness property, stating that if anyone is trying 
to obtain the resource, then someone succeeds. In this subsection, I will just 
argue mutual exclusion, but will return to this example twice later in the paper 
to prove time bounds and liveness properties. Both of these proofs will also be 
based on simulations, but they will require a little more machinery (which I will 
introduce shortly). 

I begin with the problem specification. It consists of a set of users, Ui,l <i < 
n, each an MMT automaton, plus a mutex object M, also an MMT automaton. 
Let U denote the composition of all the Ui. 

Each Ui has a state containing its current region, either trying, critical, exit 
or remainder. The outputs are try t and exiti, while the inputs are criti and rerrii. 
Each action moves the user to the indicated region, The input-output behavior 
is intended to be cyclical, in the order try { , criti, exiti, rerrii • • •; the definition of 
the user guarantees that it will not be the first to violate the cyclic condition. 

The try i and exiti actions are placed in separate singleton classes of the 
fairness partition. There are no special bounds on when try actions must occur, 
or when the critical region must be exited; therefore, the bounds are just the 
trivial [0, oo] for each class. 

Automaton U: User 

Actions: 
Input: 

criti 
rerrii 



Output: 

tryi 

\LtJj & V 2 

State components: 

region i € {rem, try, crit, exit}, initially rem 



try; 

Precondition: 






exiti 

Precondition: 


region.; = rem 
Effect: 






region; = crit 
Effect: 


region.; := try 






region; := exit 


criti 






remi 


Effect: 






Effect: 


region { := crit 






region; := rem 


Classes and Bounds: 








{try^, bounds 
{exiti}, bounds 


[0,< 
[0, 


do] 

00 ] 





The mutex object models the high-level behavior of a mutual exclusion sys- 
tem. It interacts with users by receiving the tryi an d exiti inputs and producing 
the criti and rem t outputs. It keeps track of the regions for all the users, and 
ensures that it does not issue two crit actions before the first has exited. All crit 
actions are placed in one class, while each remi is in a class by itself. Again, all 
the classes only have the trivial bounds [0, oo]. (Recall that for now, I am only 
going to prove mutual exclusion, not time bounds or liveness, so no interesting 
bounds are included in the specification.) 



Automaton M: Mutex Object 

Actions: 
Input: 

tryi, 1 < « < " 
exiti, 1 < i < n 
Output: 

criti, 1 < i < n 
rerrii, 1 < i < n 

State components: 

regioni, 1 < * < n > eacn ln {rem, try, crit, exit}, initially rem 



try { 



Effect: 

region i := try 



criti 



Precondition: 

region { = try 
for all j, region ■ ^ crit 
Effect: 

region i := crit 



exiti 

Effect: 

region i := exit 

rerrii 

Precondition: 

region i — exit 
Effect: 

region t := rem 



Classes and Bounds: 

crit = {criti, 1 < i < ?i}, bounds [0, oo] 
{rem;}, 1 < i < n, bounds [0, oo] 

Finally, I present the algorithm. It is modelled formally as a single MMT 
automaton containing several processes sharing read-write memory. The state 
consists of the state of the shared memory (in this case, just the single variable 
x), plus the local states of all the processes. Each class of the fairness partition 
consists of actions of just one of the processes. 

In this algorithm, each process i that is trying to obtain the resource tests 
the shared variable x until it finds the value equal to 0. After it finds this value, 
process i sets x to its own index i. Then it checks that x is still equal to i. If 
so, process i obtains the resource, and otherwise, it goes back to the beginning, 
testing for x = 0. When a process i exits, it resets x to 0. 

A possible problem with the algorithm as described so far is that two pro- 
cesses, i and j, might both test x and find its value to be 0. Then i might set 
x := i and immediately check and find its own index, and then j might do the 
same. This execution is illustrated in Figure 1. 



i 

test - 

set ■ 

check — 



crit 



test 



set 

— check 
crit 



Fig. 1. Bad interleaving prevented by Fischer mutual exclusion algorithm 



In order to avoid this bad interleaving, a simple time restriction is used. 
Each of the actions testi, seti, checki, criti, reseti, rerrii, for each i, comprises 
a singleton class. The bounds assigned to all the classes are [0, oo], with the 
following exceptions: seti gets assigned [0,a] and checki gets assigned [6,00], for 
some constants a, b, where a < b. 



The two bounds a and b prevent the bad interleaving in Figure 1 as follows. 
Any process i that sets x := i is made to wait long enough before checking to 
ensure that any other process j that tested x before i set x (and therefore might 
subsequently set x to its own index) has already set x to its index. That is, there 
should be no processes left at the point of setting, when i finally checks. 



Automaton F: Fischer Mutual Exclusion Algorithm 

Actions: 
Input: 

tryi, 1 < i < n 

exiti, 1 < i < n 
Output: 

criti, 1 <i <n 

rerrii, 1 < i < n 
Internal: 

testi, 1 < i < n 

seti, 1 < i < n 

checki, 1 < i < n 

reseti, 1 <i <n 

State components: 

V c ii 1 5; * — n ; each in {rem, test, set, check, leave-try, crit, reset, leave-exit], 

initially rem 
x, an integer in [0,n], initially 



tr Vi 




criti 


Effect: 




Precondition: 


pc i := test 




pc { = leave-try 
Effect: 


testi 




pc { := crit 


Precondition: 






pc i = test 




exiti 


Effect: 




Effect: 


if x = then pc { 


:= seJ 


pc i :— reset 


seti 




reseti 


Precondition: 




Precondition: 


pc i = set 




pc i = reset 


Effect: 




Effect: 


x := i 




x := 


pc { := check 




pc ; := leave-exit 


checki 




rerrii 


Precondition: 




Precondition: 


pc i = check 




pc i = leave- exit 


Effect: 




Effect: 


if x = i 




pc i := rem 


then pc i := leave 


■ try 




else pc { := test 






Classes and Bounds: 






Assume a < b. 






{testi}, 1 <i <n, 


bounds [0, oo] 




{seti}, [0,a] 






{checki}, [b, oo] 






{criti}, [0, oo] 






{resei;}, [0, oo] 






{rerrii}, [0, oo] 







Consider the composition F x U. When this is transformed into a timed 
automaton, the only nontrivial state components that are added by the trans- 
formation are now, and last(seti) and first(checki), 1 < i < n. (Here and else- 
where, I am using the convention of naming a singleton class by the single action 
contained in the class. Also, for simplicity, I ignore trivial first and last compo- 
nents.) Likewise, when M x U is transformed into a timed automaton, the only 
nontrivial added state component is now. Note that the external actions in each 
of the compositions F x U and M x U are tryi, criti, exiti and rem % , 1 < i < n. 

I claim that the composition F x U is an implementation of M x U, in the 
sense that F x U < M x U. To show the implementation, I define a mapping 
r from F x U to M x U. Here, dot notation is used to indicate component 
automata, as well as state components. 



— r(s).now = s.now. 

— r(s).U. region i = s.U.region i . 
' try if s.F.pc i 6 {test, set, check, leave-try}, 

crit if s.F.pc i = crit, 

exit if s.F.pci 6 {reset, leave-exit}, 

rem if s.F.pc i = rem. 



— r(s).M.region i = < 



In order to show that r is a weak refinement, I first prove some invariants. 
The main invariant is mutual exclusion, i.e., that there do not exist two different 
users whose regions are both crit. Mutual exclusion is proved by means of a series 
of auxiliary invariants; these invariants and their proofs are due to Luchangco 
[18], and are based on those used by Abadi and Lamport [1]. The first property 
is obvious from the general definitions of the last functions - it says that the 
last value is no later than the current time plus the upper bound for the class. 

Lemma 16. The following is true of every reachable state of F x U : 
If pc { = set then last(seti) < now + a. 

This lemma can be used to prove the following key claim. It says that the 
earliest time a successful checki can happen is after the setj of any j that has 
already passed the test. This lemma serves to rule out the bad interleaving in 
Figure 1, in which the sequence seti, checki, setj, check j occurs, and both checks 
are successful. 

Lemma 17. The following is true of every reachable state of F x U: 
If pc { = check and x = i and pCj = set then first(checki) > last(setj). 

Proof. By induction. Again, I consider steps of the form s' -^-> s. Here, the only 
interesting cases are: 

1. 7T = seti 

Then s. first (checki) = s.now + b and last(setj) < s.now + a, by Lemma 16. 
Since a < b, the inequality follows. 

2. 7r = testj and s'.x = (i.e., the test is successful) 
Then s.x = 0, making the statement true vacuously. 

□ 

The next lemma says that if a process i is in the critical region (or just before 
or just after it), then x = i and no other process can be about to set. 

Lemma 18. The following is true of every reachable state of F x U: 
If V c i £ {leave-try, crit, reset} then x = i and for all j, pc^ ^ set. 

Proof. By induction. The interesting cases are: 

1. 7r = checki and s' .x = i (i.e., the check is successful) 

Then s.x = s'.x = i, and Lemma 17, together with the time requirements, 
imply that no j has s'.pc^ = set, nor (therefore) s.pCj = set. 



2. 7r = set j, j / i 

This is impossible because the inductive hypothesis implies that there can 
be no j with s' .pc^ = set. 

3. 7r = reset j, j / i 

This is impossible because if it were true, the inductive hypothesis applied 
to both i and j would imply the contradictory requirements s' .x = i and 
s'.x = j. 

4. 7r — testj, j ^ i, and s'.x — (i.e., the test is successful) 

Then the inductive hypothesis implies that s'.pc { ^ {leave-try, crit, reset}, 
so s.pc { ^ {leave-try, crit, reset}, which implies that the condition is true 
vacuously. 

□ 

Now it is not hard to see that Lemma 18 implies the mutual exclusion prop- 
erty. 

Lemma 19 (Mutual Exclusion). The following is true of every reachable state 

ofFxU: 

There do not exist i, j, i ^ j, such that pc i = pCj = crit. 

Now, using the mutual exclusion invariant, it is possible to argue that r is a 
weak refinement. This claim says a bit more than just that the algorithm satisfies 
the mutual exclusion property: it says that the algorithm actually implements a 
mutual exclusion system, with a particular interface, input/output conventions, 
etc. 

Lemma 20. The function r is a weak refinement from F x U to M x U . 

Proof. Straightforward. The dangerous steps to check are those of the form 
s' c -^js, where some process j is in the critical region in state s'. But then 
both i and j would be in the critical region, in state s, which violates the mutual 
exclusion property for s, a contradiction. □ 

Theorem 21. Let F be the Fischer mutual exclusion algorithm, U the composed 
user automaton and M the mutex object. Then F x U <wr M xU , and therefore 
F xU <M xU. 

Note that this proof, while technically a simulation proof, does not really 
demonstrate the power of the method, since the key property being proved, 
mutual exclusion, is shown just using invariants. The remaining examples in 
this paper better illustrate the power of the simulation method. I will return to 
the Fischer mutual exclusion example twice more, once to argue time bounds 
and once to argue liveness, both using simulations. 

For later use, I also state the following invariant: 

Lemma 22. The following is true of every reachable state of F x U: If x = i 
then pc { £ {check, leave-try, crit, reset}. 



5 Using Simulations to Prove Time Bounds 



In the previous section, I introduced the MMT model and used it to describe 
Fischer's mutual exclusion algorithm. I then used invariants and simulations to 
prove that the algorithm satisfies the mutual exclusion property. In this section, 
I show how simulations can be used to prove something more than just basic 
safety properties - they can also be used to prove time bounds. 

In the Fischer example, the implementation automaton had upper and lower 
bound assumptions, which were used in proving the basic safety property. The 
specification, however, did not include any time bounds. The main idea for prov- 
ing time bounds via simulations is to include lower and upper time bounds on 
the classes of the specification MMT automaton. I demonstrate the power of 
this method with three examples: a simple counting process, a two-process race 
system, and Fischer's mutual exclusion algorithm. I also indicate how the same 
method can be used to prove time bounds for asynchronous algorithms. 

I believe that these examples demonstrate that the power of simulation meth- 
ods is much greater in the real-time setting than it is in the asynchronous setting. 
For in the asynchronous setting there are usually liveness conditions rather than 
time bounds to be proved. Proofs of liveness conditions require some extra ma- 
chinery, e.g., temporal logic, in addition to simulations, but time bounds can be 
proved just using simulations. I will say more about liveness in Section 6. 

This method of proving timing properties is derived from [20]. Also, the first 
two examples are simplifications of examples in that paper. 



5.1 Example: Counting Process 

The first example involves a simple automaton that just counts down from some 
fixed positive integer k and then reports its completion. If the time between the 
automaton's steps is always in a limited range, say [ci,C2], then it should be 
possible to prove a corresponding range of times until the report occurs. 

Automaton Count: Counting Automaton 

Actions: 

Output: 

report 
Internal: 

decrement 

State components: 

count, initially k > 

reported, Boolean, initially false 



decrement report 

Precondition: Precondition: 

count > count = 

Effect: reported = false 

count := count — 1 Effect: 

reported :— true 

Classes and Bounds: 

{report}, bounds [ci,C2] 
{decrement}, each with bounds [01,02] 



Informally, it is easy to see that the time until a report occurs can be any 
time in the interval [(k 4- l)ci, (k + 1)02]. In order to prove this formally, I ex- 
press these time bound assumptions by a trivial high-level reporting automaton 
called Report. In the following formal description, I parameterize the name of 
this automaton by the time bounds that it is to guarantee. This is for the pur- 
pose of disambiguation, because in the next example, I will use another Report 
automaton, with different time bounds. 

Automaton Report[di , d^]. Reporting Automaton 

Actions: 

Output: 

report 

State components: 

reported, Boolean, initially false. 



report 

Precondition: 

reported = false 
Effect: 

reported := true 



Classes and Bounds: 

{report}, bounds [di,^]. 

I show that Count implements Report[(k + l)ci,(fc + l)c 2 ], using a weak 
forward simulation. The multiple values permitted by a forward simulation are 
needed because the simulation is expressed in terms of inequalities. Specifically, 
I define (s,u) £ / provided that the following hold: 

— u.now = s.now, 

— u. reported = s. reported, 



— u. last (report) > 

J s.last(decrement) + s. count ■ C2 if s. count > 0, 

| s.last(report) otherwise. 

— u. first (report) < 

J s. first (decrement) + s. count ■ c\ if s. count > 0, 

1 s.first(report) otherwise. 

The idea of the simulation is as follows. The now and reported component 
definitions are straightforward. The last(report) component is constrained to be 
at least as large as a quantity that is calculated in terms of the state (including 
time components) of Count. This quantity is a calculated upper bound on the 
latest time until a report action is performed by Count. There are two cases: If 
count > 0, then this time is bounded by the last time at which the first decrement 
can occur, plus the additional time required to do count — 1 decrement steps, 
followed by a report; since each of these count steps could take at most time 
C2, this additional time is at most count ■ c 2 . On the other hand, if count = 0, 
then this time is bounded by the last time at which the report can occur. The 
inequality expresses the fact that this calculated bound on the actual time until 
report is at most equal to the upper bound to be proved. The interpretation 
of the first(report) component is symmetric - it should be no larger than a 
calculated lower bound on the earliest time until a report action is performed by 
Count. 

In order to prove that / is a weak forward simulation, I use the simple 
invariant "if count > then reported — false", plus basic properties of the 
Count automaton, of the style of Lemma 16. 

Lemma 23. The relation f is a weak forward simulation from Count to 
Report[(k + l)c 1 ,(k+ l)c 2 ]. 

Proof. The proof proceeds in the usual way for forward simulations, verifying 
the three properties in the definition one by one. The inequalities are treated in 
the same manner as any other type of relation between the states. The corre- 
spondence between now values is immediate. 

For the correspondence between start states, let s and u be the unique start 
states of Count and R, respectively. I show that (s,u) G f. The first two parts 
of the definition of / are immediate; consider the third part. The definition of R 
implies that u. last (report) = (fc + l)c 2 , while the definition of Count implies that 
s. count > and s. last (decrement) + s. count -c 2 = c 2 -ffcc 2 = (k + l)c2- Therefore, 
u.last(report) = s.last(decrement) + s. count ■ c 2 , which shows the third part of 
the definition of /. The fourth part is analogous to the third. 

Finally, for the correspondence between steps, consider cases based on types 

/ (I PCTPTTi PTI tit 

of transitions. For example, consider a transition 5 — i Count 5 > wriere u £ 
f[s'}. Since decrement is enabled in 5', it must be that s'. count > 0. Suppose 
that also s. count > 0. The fact that u' £ f[s'] means that u' .now = s'.now, 
unreported = s' .reported, u' .last(report) > s' Aast(decrement) 4- s'. count • c^, 
and u' .first(report) < s' .first(decrement) + s'. count ■ c\. It suffices to show that 
u' G f[s). 



The first two conditions in the definition of / carry over immediately. For 
the third condition, the left-hand side of the inequality, last (report) , does not 
change, while on the right-hand side, last(decrement) is increased by at most C2, 
while the second term decreases by exactly c 2 . (The reason why last(decrement) 
is increased by at most C2 is as follows: the construction of the timed automaton 
from the MMT automaton for Count — captured in the invariants — implies 
that s' .now < s' .last(decrement), but note that s.last(decrement) — s.now +c-i 
and s.now = s' .now.) So the inequality still holds after the step. 

Similar arguments can be made for the lower bound, and for the case of 
decrementing to 0. □ 

Theorem 24. Count <wf Report[(k + l)ci, (k + 1)02], and therefore Count < 
Report[(k + l)a,(k+ l)c 2 ]. 

The main content of this theorem is that Count satisfies the timing require- 
ments. In the rest of the paper, I will focus on upper bound results and proofs; 
lower bounds can be stated and proved similarly. 



5.2 Example: Two-Process Race 

This is an example suggested by Pnueli [34] as a test case for proof methods for 
timing-based systems. Consider an MMT automaton Race with state variables 
count, flag, and reported. The automaton can be thought of as consisting of two 
tasks. The main task increments the variable count as long as the flag is false, 
then decrements count back to 0. When the value of the count has been restored 
to 0, the main task reports its completion. There is a separate interrupt task 
whose sole job is to set the flag to true. 

Automaton Race: Two-Process Race System 

Actions: 

Output: 

report 
Internal: 

increment 
decrement 
set 

State components: 

count, a nonnegative integer, initially 
flag, a Boolean, initially false 
reported, a Boolean, initially false 



increment set 

Precondition: Precondition: 

flag = false flag = false 

Effect: Effect: 

count := count + 1 flag := true 

decrement report 

Precondition: Precondition: 

flag = true flag — true 

count > count = 

Effect: reported = false 

count := count — 1 Effect: 

reported := true 

Classes and Bounds: 

main = {increment, decrement, report}, bounds [ci,C2] 
int = {set}, bounds [0,a] 

Let C — C2JC\. 

The correctness specification is the automaton Report[0, a + c^ + Ca], where 
Report is defined in the previous example. (I am only proving the upper bound 
here, so I use a lower bound of 0.) The reason why a + c^ + Ca is a correct upper 
bound is, intuitively, as follows. Within time a, the int task sets the flag to true. 
During this time, the count could reach at most a/c\. Then it takes at most 
time (a/ci)c2 — Ca for the main task to decrement count to 0, and another c? 
to report. 

I show that this bound is correct by a simple weak forward simulation from 
Race to Report[0, a + C?, + Ca]: Specifically, I define (5, u) £ / provided that the 
following hold: 

— u.now = s.now. 

— u. reported = s. reported. 

— u. last {report) > 
s.last(int) + (s. count + 2)c2 + C(s.last(int) — s. first (main)) 

if s.flag = false and s.first(main) < s.last(int), 
s.last(main) + (s.count)c2 
otherwise. 

The idea of the last inequality is as follows. If flag — true, then the time 
remaining until report is just the time for the main task to do the remaining 
decrement steps, followed by the final report. The same reasoning holds if flag 
is still false, but must become true before there is time for another increment 
to occur, i.e., if s .first(main) > s.last(int). Otherwise, there is time for at least 
one more increment to occur, i.e., s.flag = false and s.first(main) < s.last(int); 
then the first case of the inequality for last(report) applies. 

In this case, after the set, it might take as long as time (count + l)c2 for 
the main task to count down from the current count, and then to report. But 
the current count could be increased by some additional increment events that 



happen before the set. The largest number of these that might occur is 1 + 
(last(int) —first(main))/ci. Multiplying this by c 2 gives the extra time required 
to decrement this additional count. 

Again, the only invariants needed are general properties of the sort in Lemma 
16. Now the standard proof methods yield: 

Lemma 25. The relation f is a weak forward simulation from Race to Report[0, a+ 
c 2 + Ca]. 

Theorem 26. Race <wf Report[0,a+C2+Ca], and therefore Race < Report[0,a+ 
c 2 + Ca\. 

5.3 Example: Fischer Mutual Exclusion Algorithm 

As the third example of proving time bounds via simulations, I return to the 
Fischer mutual exclusion algorithm, F. This time, I prove an upper bound for 
the time from when some process is trying to obtain the resource and no one 
is critical, until some process is critical. There is also a corresponding bound 
(trivial to prove) for the remainder region. 

In order to prove these time bounds, I must assume additional time bounds 
for process steps, besides the upper bound of a on set steps and lower bound 
of b on check steps already used for proving mutual exclusion. For simplicity, I 
assign the same upper bound of a used for set steps to all of the other locally 
controlled steps except for the check steps, i.e., to the test, crit, reset and rem 
steps. (Upper bounds are not needed for try or exit steps.) I also assign an 
upper bound of c to the check steps, for some c > b. The result is a new MMT 
automaton, which I call F'. 

I also express the time bound requirements using an MMT automaton, M' . 
M' is the same as M except that the class crit of criti actions has the bounds 
[0, 2c + 5a] and each class remi has the bounds [0,2a]. (Note: It appears that the 
upper bound can be improved to 2c + 5a — b, at the cost of some complication. 
Details appear in [18].) 

For the proof, I could give a direct weak forward simulation from F' x U 
to M' x U, but it seems useful instead to introduce an intermediate level of 
abstraction. The intermediate level expresses certain milestones toward the goal 
of some process reaching the critical region. (This general approach is derived 
from [18].) Specifically, from the point when actions in the class crit becomes 
enabled (that is, when some process enters the trying region when no process is 
critical, or when some process leaves the critical region), there is a later step at 
which some process first converts x from to a process index; I call this a seize 
step. Then there is a later step at which some process last sets x to an index, 
leaving no other processes with program counters equal to set (this means that 
no one will do another set, before some process reaches the critical region); I 
call this a stabilize step. The milestones I will consider are just the seize and 
stabilize steps. 



I will argue that, from the time of enabling of crit, a seize step occurs at 
most time c + 3o later. Then from the time of a seize step, a stabilize step occurs 
at most time a later. And from the time of a stabilize step, a crit step occurs 
at most time c + a later. The total is 2c + 5a, as claimed. To express these 
milestones, I describe an intermediate MMT automaton /'. 

Automaton /': Intermediate Automaton for Fischer Algorithm 



Actions: 

Input: 

in/;, 1 < i < n 
exiti, 1 < i < n 

Output: 

criti, 1 < i < n 
rerrii, 1 < i < n 

Internal: 

seize, 1 < i < n 
stabilize, 1 < i < n 






State components: 

region i , i 6 /, an element of {rem, try, crit, exit}, initially rem 
status, an element of {start, seized, stab}, initially start 



try { 

Effect: 

region i := try 

seize 

Precondition: 

3i, region; = try 
Vi, region { ^ crit 
status = start 

Effect: 

status := seized 



criti 

Precondition: 

region; = try 
status = stab 
Effect: 

region; := crit 
status := start 



exiti 

Effect: 



region; 



exit 



stabilize 

Precondition: 

status = seized 
Effect: 

status := stab 



rerrii 

Precondition: 

region — exit 
Effect: 

region := rem 



Classes and Bounds: 

{seize}, bounds [0, c + 3a] 

{stabilize}, bounds [0,a] 

crit = {criti ■ 1 < i < n}, bounds [0, c + a] 

{remi}, 1 < i < n, bounds [0,2a] 



There is a simple weak forward simulation from I' x U to M' x U. Namely, 
define (s,u) 6 / provided that the following hold. 

— u.now = s.now. 

— u.U.region i = s.U.region { for all i. 

— u.M' .region i = s. I 1 .region ; for all i. 

{s.last(seize) + c + 2a if s. status = start, 
s .last(stabilize) + c + a if s. status = seized, 
s.last(crit) if s. status = stab. 

— u.last(rerrii) > s.last(rerrii). 

Here, the inequality for last(crit) uses a calculated upper bound on the time 
until V xU performs a crit action. This calculation is based on a series of cases. 
Working backwards, in the last case, where status = crit, crit is enabled in 
/' x U, and a calculated upper bound is just last(crit). In the next-to-last case, 
stabilize is enabled, and after it occurs, only the worst-case time c + a for crit 
remains. In the first case, seize is enabled, and after it occurs, the additional 
remaining time is at most the worst-case time for stabilize and crit to occur, in 
succcession. 

To show that / is a weak forward simulation, I use the following invariant 
of /' x U: If region i = crit for some i, then status = start. (Also, once again, I 
need some properties of the sort in Lemma 16. Prom now on, I will omit explicit 
mention of such properties.) 

Lemma 27. The relation f is a weak forward simulation from I' xU to M' x U . 

Theorem 28. V xU < W f M' x U, and therefore V xU < M' xU. 

Now I consider the simulation from F' x U to V x U. Define (s, u) 6 g if the 
following hold. (All unbound uses of process indices are implicitly universally 
quantified.) 

— u.now = s.now. 

— u.U.regioni — s.U. region^ 

{rem if s.F .pc t = rem, 
crit if s.F 1 .pc, = crit, 
exit if s.r .pc { £ {reset, leave-exit}, 
try otherwise. 
{start if s.x — 0, or 3i : s.pc { G {crit, reset}, else 
seized if 3i : s.pc { = set, else 
stab. 

— u.last(seize) > s.last(reseti) + c + 2a if s.pc c = reset. 

— u.last(seize) > min;{/i(i)} if s.x = 0, 
' s. last (check ;) + 2o if s.pc { = check, 

s.last(testi) + a if s.pc { = test, 

s.last(seti) if s.pc { = set, 

oo, otherwise. 



where h(i) = < 



— u.last(stabilize) > s.last(seti) if s.pc i = set. 

. . J s.last(checki) + a if s.pc { — check A s.x = ■ 
1 s.last(criti) if s.pc { = leave-try. 

, ., . _ [ s. last ( res eti) + a if s.pc, = reset 

- u.last(remi) > < , ,} >' ., , 

I s./asi(remj) it s.pc ; = teaue 



if s.pCi = leave-exit. 

The now and region correspondences and status definition are straightfor- 
ward. The first inequality for seize says that if some process is about to reset, 
then the time until the variable is seized is at most an additional c + 2a after the 
reset occurs. The second inequality for seize says that if re = (which means 
that no process is about to reset), then the time until the variable is seized is 
determined by the minimum of a set of possible times, each corresponding to 
some candidate process that might set x. For instance, if some process i is about 
to set x, then the corresponding time is only the maximum time until it does so, 
while if i is about to test re, then the corresponding time is an additional o after 
the test occurs. The interpretations for the remaining inequalities are similar. 

To show that g is a weak forward simulation, I use the invariant of F' x U 
given in Lemma 18. Then: 

Lemma 29. The relation g is a weak forward simulation from F' xU to I' xU. 

Proof. (Rough sketch) Each external step simulates a corresponding external 
step of I' x U. A set step that changes rr from to a process index simulates 
seize, while a set step that occurs when no process is in critical or reset, and 
after which there are no other processes with pc = set, simulates stabilize. A set 
step that satisfies both of these conditions simulates both seize and stabilize, in 
that order. All other steps simulate a trivial timed execution fragment with no 
actions. □ 

Theorem 30. Let F' be the Fischer mutual exclusion algorithm with time bounds, 
U the composed user automata, and I' the Fischer intermediate automaton with 
time bounds. Then F' x U <wf I' x U, and therefore F' xU < V xU . 

Corollary 31. Let F' be the Fischer mutual exclusion algorithm with time bounds, 
U the composed user automaton, and M' the mutex object with time bounds. 
Then F' xU < M' xU. 



5.4 Example: Dijkstra's Mutual Exclusion Algorithm 

Using these simulation methods, it is also possible to carry out rigorous time 
complexity analysis for asynchronous algorithms. It might not be clear to the 
reader what it means to analyze the time complexity for an asynchronous algo- 
rithm, since asynchronous algorithms, by definition, have no timing assumptions 
on their steps; thus, it is impossible to prove any unconditional time bounds for 



their user-visible behavior. However, it is reasonable to assume upper bounds on 
time for various steps, since just assuming upper bounds (and no lower bounds) 
does not restrict the possible executions of the algorithm. Given such upper 
bounds on steps, it is often possible to prove upper bounds on the time for 
interesting behavior. 

Analyzing the time complexity of asynchronous algorithms is often a very 
difficult task. Generally, such analysis has been done in an informal and oper- 
ational style. But it is not hard to see that the simulation methods described 
in this paper can also be used in the asynchronous setting, yielding proofs that 
express the key insights, yet can be done in complete formal detail. 

I illustrate with sketches of two examples. In this subsection, I consider Di- 
jkstra's asynchronous algorithm [8] for mutual exclusion using read-write shared 
memory. In the following subsection, I consider a simple leader election algo- 
rithm. 

The Dijkstra algorithm, rewritten to fit the precondition-effect notation, is 
as follows. 



Automaton D: Dijkstra's Mutual Exclusion Algorithm 

Actions: 
Input: 

try { , 1 < i < n 

exiti, 1 < i < n 
Output: 

criti, 1 < i < n 

rerrii, 1 < i < n 
Internal: 

announcei, 1 < i < n 

testli 1 < i < n 

test2(j)i, 1 < i, j < n 

seti, 1 < i < n 

advancei, 1 < i < n 

checki(j), 1 <i,j <n 

reseti, 1 < i < n 

State components: 

pc t , 1 <i < n, a,n element of 
{rem, ann, testl , test2(j), set, adv, check, leave-try, crit, reset, leave-exit}, 
each initially rem 

x, an element of /, initially arbitrary 

flag i , i £ /, an element of {0, 1,2}, initially 

Si, i £ I, a set of process indices, initially {i} 



try x 


advance; 


Effect: 


Precondition: 


pc { := ann 


pc { = adv 




Effect: 


announcei 


flag, : = 2 


Precondition: 


pc; := check 


pc i = ann 


Si := {;} 


Effect: 




flag, := 1 


c/iecfciQ) 


pc { := testl 


Precondition: 




pc i = check 


testl i 


j*Si 


Precondition: 


Effect: 


pc { = testl 


if flag, = 2 then pc ; := ann 


Effect: 


else 


if x = i then pc i := adv 


Si ~ Si U {;} 


else p^ := test2(x) 


if \Si\ = n then pc { := leave-try 


test2(j)i 


criti 


Precondition: 


Precondition: 


pc { = test2{j) 


pc { = leave-try 


Effect: 


Effect: 


if flag- = then pc i := set 


pCj := crit 


else pc { := iesti 






exiti 


seii 


Effect: 


Precondition: 


pc ; := reset 


pc i = set 




Effect: 


reseti 


x := i 


Precondition: 


pc i := tesii 


pc { = resei 




Effect: 




/Za 5 , := 




pc { := leave- exit 




remi 




Precondition: 




pc { = leave-exit 




Effect: 




pc { := re?7i 



Classes and Bounds: 

For each i, there is a separate class for each type of locally controlled action; 

each class has bounds [0,o]. 

It is not difficult to prove that algorithm D x U satisfies mutual exclusion, 
where U is the composed user automaton used in the Fischer example. The 
proof is by induction as usual, with the following as a key auxiliary invariant: 
— 1[3«, j : (i ^ j) A(t € Sj) A (j e Si)]. Then a weak forward simulation can be 



given from D x U to M x U, where M is the mutex object used in the Fischer 
algorithm. 

In order to prove an upper bound on time, I once again modify the specifica- 
tion M by adding time bounds. This time, however, the time bound for the crit 
class is (3n + ll)a, while the bound for each rerrii is still 2a. I call the resulting 
specification MD. 

The proof strategy is similar to the one for the Fischer algorithm. I define 
an intermediate automaton ID, also with seize and stabilize milestones, plus an 
additional dropback milestone. The new code is as follows: 

ID 



dropback criti 

Precondition: Precondition: 

status = stab region i = try 

Effect: status = drop 

status := drop Effect: 

region,; := crit 
status := start 

Classes and Bounds: 

{seize}, bounds [0, (n + 5)a] 

{stabilize}, bounds [0,2a] 

{dropback} , bounds [0, (n + l)o] 

crit = {criti '■ 1 < * < n}, bounds [0, (n + 3)a] 

{rerrii}, 1 <i <n, bounds [0, 2a] 

The action seize is deemed to occur when no process is in the critical region 
or at the point of reset, some process is trying, and x acquires a value that is the 
index of a trying process with flag ^ (i.e., an announced trying process). Once 
seize is enabled, (when no process is in the critical region but some process is 
trying, and x does not have such a value), it is at most one step (time a) until 
any newly-exiting process j has reset its flag to 0, then at most n + 4 steps until 
some process reaches testl, then test2, then set - this accomplishes a seize. 
(There is a technicality: a process could be interrupted at test2 by the arrival 
(more particular, the announcement) of the process j whose index is already in 
x. But such an announcement itself serves to accomplish the seize.) 

The stabilize action is deemed to occur when x settles down to a value that 
cannot be changed before someone reaches the critical region. By a similar ar- 
gument to the one used for the Fischer algorithm, it takes at most 2 steps until 
residual effects are removed, thus producing stabilization. 

The dropback action is deemed to occur when all but the process whose index 
is in x drop back to the first stage of the algorithm, where flag = 1 (or when 
someone goes critical before this happens). This takes at most n+ 1 steps. Then 
the remaining process goes to the critical region in at most n + 3 steps. 

The simulation from ID x U to MD x U is similar to that from I' x U to 
M' x U. The simulation from D x U to ID x U is similar in style to that from 



F' x U to I' x U, but is more complicated because of the additional technical 
complications in this algorithm. 



u.now = s.now. 
u.U.region i = s.U.region i . 

rem if s.D.pc i = rem, 

crit if s.D.pc i = crit, 

exit if s.D.pc i 6 {reset, leave- exit}, 

try otherwise. 
start if 3i,s.pc i € {crit, reset}, or s.flag g x = 0, else 
seized if 3i / s.x : s.pc { € {set} U {iesi2(j) : j ^ s.x}, else 
stab if 3i ^ s.x : s.pc i = adv V s.flag i = 2, else 
drop. 



u.ID.region i 



u. status = < 



u.last(seize) > s./asi(resei;) + (n + 4)a if s.pCj = reset. 
u.last(seize) > mirii{/i(i)} if Vi : s.pc { ^ reset, 

' s.last(advancei) + (n + 3)a if s.pc; = adv, 

s.last(checki) + (n — |s.S<| + 3)a if s.pc; = check, 

s.last(announcei) + 3a if s.pc i = ann A s.x / i, 

s.last(test2i) + 3a if s.pc, = test2(j) A j / s.x, 

where /i(i) = ^ s.last(testl ;) + 2a if s.pc ; = iesti , 

s.last(test2i) + a if s.pc ; = test2(s.x), 

s.last(seti) s.pc i = set, 

s.last(announcei) s.pc i = ann A s.x = i, 

oo otherwise. 



— u.last(stabilize) > 



s.last(test2i) + a 
s./as£(.seJi) 



if s.pc ; = test2(j) A j ^ s.x, 
if s.pc ; = set. 



— u.last(dropback) > < 



' s.last(advancei) + na if s.pc 

s.last(checki) + (n — |s.S;|)a if s.pc 

s.last(announcei) if s.pc 

L s.last(criti) if s.pc. 



= aaV hi ^ s.x, 
— check A i / s.x, 
= ann A s.flag { = 2, 
= leave-try. 



ulast(crit) > min;{<7(i)} where g(i) = 



' s.last(announcei) + (n + 2)a 
s.last(testli) + (n + l)a 
s.last(advancei) + na 
s. last (check ;) + (n — |s.Sj|)a 
s.Zast(cri(;) 

< oo 



if s.pc; = ann A s.x = i, 
if s.pc i — testl A s.x = i, 
if s.pCj = adv, 
if s.pc ; = check, 
if s.pc; = leave-try, 
otherwise. 



u.last(remi) > 



s.last(reseti) + a if s.pc { = reset, 
s.last(remi) if s.pc i = leave-exit. 



This definition may look formidable because of its size. However, as for thet 
Fischer algorithm, the now and region correspondences and status definition 
are straightforward. The remaining pieces of the definition are inequalities de- 
scribing the progress toward the various goals. For each goal, the cases in the 
corresponding inequalities just trace this progress step-by-step. 



In order to show that this is a weak forward simulation, we use the following 
invariant: 

Lemma 32. The following is true of every reachable state of D x U: 

1. If pc i £ {leave-exit, rem} then flag i = 0. 

2. If pc i £ {testl , test2(j),set, adv}, then flag { = 1. 

3. If pc { £ {check, leave-try, crit, reset} then flag { = 2. 
4- If pc i = ann, then flag { £ {0,2}. 

Lemma 33. This relation is a weak forward simulation from D xU to ID x U. 

Theorem 34. Let D be the Dijkstra mutual exclusion algorithm, U the composed 
user automaton, and ID the Dijkstra intermediate automaton. Then DxU <wf 
ID x U, and therefore D xU < ID xU. 

Corollary 35. Let D be the Dijkstra mutual exclusion algorithm, U the com- 
posed user automaton, and MD the mutex object with time bounds [0, (3rc+ll)a] 
for the crit class and [0,2a] for each rem{ class. Then D xU < MD x U. 

5.5 Example: LeLann-Chang-Roberts Leader Election Algorithm 

Luchangco [18] gives a formal proof of an upper bound on time for the LeLann- 
Chang-Roberts leader election algorithm for ring networks [4, 16]. The algorithm 
is simple: every processor in the network sends its processor identifier clockwise, 
and smaller identifiers that encounter larger identifiers are discarded. If a node 
receives its own identifier in a message, it elects itself as leader. An upper bound 
of c is assumed on the step time of each processor, and an upper bound of d is 
assumed for the time to deliver the oldest message in each channel. Under these 
assumptions, the time until a processor is elected is at most (n + l)c + nd, if 
there are n processors in the ring. 

The difficulties in the proof involve the possible pile-up of identifiers in chan- 
nels, if some processors and channels operate faster than others. Luchangco's 
proof is again based on the "milestone" idea. Here, there are n milestones; mile- 
stone i, 1 < i < n, is said to be reached when the slowest token has pro- 
gressed distance i around the ring. Formally, the specification automaton is just 
Report[0, (n + l)c + nd], and the intermediate automaton describes milestones 
that are time at most c + d apart, followed by a leader election report occurring 
at most time c after the final milestone. The mapping from the algorithm to 
the intermediate automaton computes how many milestones have been reached 
based on the least progress made by any identifier. Details can be found in [18]. 

5.6 Progress Functions 

It should be apparent that the proofs in this section all have a similar style. In 
each case, the correspondence is a weak forward simulation. In each case, the 
simulation includes a set of inequalities involving calculated upper and lower 



bounds. It is possible to formalize this common structure, and to establish gen- 
eral sufficient conditions for a relation with this structure to be a weak forward 
simulation. Doing this can systematize and slightly shorten the proofs. 

In some more detail, the heart of each proof is a collection of definitions 
of "progress functions" , one corresponding to each upper or lower bound to be 
proved, i.e., an upper bound expression ub(C) and a lower bound expression 
lb(C) for each class of the specification automaton. Then the portion of the 
simulation involving the last and first components is of the form: for all C, 
u.last(C) > s.ub{C) and u.first{C) < s.lb(C). The rest of the forward simulation 
is defined by the equations u.now = s.now and u. basic = f(s), where / is some 
function of the implementation state. 

There are certain conditions that the progress functions have to satisfy in 
order for this correspondence to be a forward simulation. They are somewhat 
technical, so I paraphrase them roughly here. (A formal presentation, which 
includes some additional technicalities not mentioned here, appears in [20]; how- 
ever, I remind the reader that there are some technical differences between the 
model of that paper and the one used here.) 

For all classes C of the specification automaton: 

1. If 5 is a start state then f(s) is a start state; moreover, if C is enabled in 
f(s) then s.ub(C) < upper(C) and s.lb(C) > lower(C). 

2. For each non-time-passage step from s' to s, there is a "corresponding" 
fragment of the specification automaton, beginning with f(s') and ending 
with f(s), such that: 

(a) If a C step occurs in this fragment, then s' .now > s'.lb(C). 

(b) If C remains enabled and no action in C occurs, then s.ub{C) < s'.ub(C) 
and s.lb(C) > s'.lb(C). 

(c) If C becomes newly enabled then s.ub{C) < s' .now + upper(C) and 
s.lb(C) > s 1 .now + lower(C). 

3. For each time-passage step from s' to s: 

(a) f(s) = f(s'). 

(b) s.now < s' .ub(C). 

(c) s.ub{C) < s'.ub(C) and s.lb(C) > s'.lb{C). 

A general theorem in [20] says that if a collection of progress functions sat- 
isfies these conditions, then combining the functions as indicated above yields a 
forward simulation. The examples in that paper are developed in terms of the 
formal notion of progress functions. It appears to be straightforward to carry 
out the technical modifications of the theorem to fit the model of this paper, 
as well as to incorporate invariants for the implementation automaton into the 
conditions, thereby obtaining similar sufficient conditions for a weak forward 
simulation. However, this work remains to be done. 

6 Liveness 

It is sometimes desirable to prove liveness properties, e.g., properties that say 
that something eventually happens, even for systems with time bounds. In do- 



ing this, it is sometimes useful to make liveness assumptions as well as timing 
assumptions. In this section, I give a way of describing systems with liveness 
assumptions, and a way, based on simulations and an "Execution Correspon- 
dence lemma", to verify that timed systems satisfy liveness properties. These 
notions are taken from [12]. I illustrate these methods with a proof of liveness 
for Fischer's mutual exclusion algorithm. 

6.1 Augmented Timed Automata and Execution Correspondence 

In order to describe liveness properties, I augment the timed automaton model. 
An augmented timed automaton consists of a timed automaton A, together with 
a subset L of the admissible timed executions called the live timed executions. 
(Normally, L is required to be of a restricted form - to contain an extension 
of every "finite" timed execution of A; however, I will not address this issue 
further in this paper, but refer the reader to [12].) A timed automaton A can 
be regarded as a special case of an augmented timed automaton, where the 
live timed executions are just the entire set of admissible executions. Define an 
admissible timed trace of A to be a live timed trace of (A, L) provided that it is 
the timed trace of some live timed execution of (A, L). 

If (A, L) and (B, M) are augmented timed automata, and A and B are com- 
patible, then I define the composition of (A, L) and (B, M) to be the augmented 
timed automaton (A xB,N), where JV is the set of admissible executions of A x B 
that project onto A and B to give timed executions in L and M, respectively. 

If (A,L) and (B,M) are augmented timed automata, I define (A,L) < 
(B, M) provided that all the live timed traces of (A, L) are also live timed traces 
of (B,M). Then composition is substitutive with respect to <. 

For any augmented timed automaton (A,L), I define Ld, the live discrete 
executions, to be the set of admissible discrete executions of A that sample 
timed executions in L. 

Given a timing-based algorithm with some additional liveness assumptions, 
it is natural to express the algorithm as an augmented timed automaton (A,L). 
If one wants to show that the algorithm satisfies certain high-level liveness prop- 
erties, then an effective strategy is to express the entire specification, safety 
plus liveness conditions, as another augmented timed automaton (B,M). Then 
showing that the algorithm satisfies the required liveness properties amounts to 
showing that (A,L) < (B,M). 

Now I describe one strategy for showing that (A, L) < (B, M). This strategy 
involves first showing a simulation from A to B, yielding safety and timing 
properties as usual. But more strongly, it turns out that a simulation yields a 
close correspondence between any admissible discrete execution of A and some 
admissible discrete execution of B. For instance, consider the following definition 
of a correspondence between discrete executions of two timed automata. The 
definition is adapted slightly from [12]. Let A and B be timed automata with 
the same visible actions and let R be a relation over states(A) and states(B) that 
only relates states with the same now component. Let a = so 7r i s i 7r 2S2 • ■ • and 
a' = s' / k' 1 s' 1 -k' 2 S2 • • • be admissible discrete executions of A and B, respectively. I 



say that a and a' are related by R, or (a, a') € R, provided that there is a total 
nondecreasing mapping m from natural numbers (i.e., indices of states in a) to 
natural numbers (i.e., indices of states in a'), such that: 

1. m(0) = 0. 

2 - ( s i' s ' m (i)) G-R for alii. 

3. The execution fragment s',^ ■ ■ ■ s', i+1 ^ contains the same sequence of timed 
visible actions as the step Sj,7Ti+i,Si+i. 

That is, the initial states of a and a' correspond, corresponding states are R- 
related, and the fragment corresponding to any step has the same sequence of 
timed visible actions. I also say that A and B are related by R (or (A, B) € R) 
if for every admissible discrete execution of A, there is an i?-related admissible 
discrete execution of B. 

The next result says that all of the simulations that have been presented in 
this paper yield a stronger correspondence than just inclusion of sets of admissi- 
ble timed traces - they yield that the two automata are related by the simulation 
relation. 

Lemma 36 (Execution Correspondence). Suppose that R is a refinement, 
forward simulation, or image-finite backward simulation from A to B (or a weak 
version thereof). Then (A,B) £ R. 

To show that (A,L) < (B,M), one first produces a simulation from A to B, 
in order to obtain a close correspondence between admissible discrete executions 
as just described. Given a live timed trace /? of (A,L), one can obtain a timed 
execution a.\ in L that gives rise to f3. Let a be any admissible discrete execution 
of A that samples oti; Lemma 1 implies that a exists. Then a 6 Ld, by definition 
of Ld, and Lemma 2 implies that a also has (3 as its timed trace. Next, one 
uses the Execution Correspondence Lemma to obtain a corresponding admissible 
discrete execution a' of B, again with j3 as its timed trace. Then one shows that 
a' £ Md, by performing a case analysis based on the correspondence with a and 
the definition of Ld\ this is the part of the proof that is specially tailored for each 
pair of augmented timed automata. Let a-i be a live timed execution of (B,M) 
that is sampled by a'; a 2 exists by definition of Md- Lemma 2 implies that a? 
also has (3 as its timed trace. This implies that (3 is a live timed trace of (B, M), 
as needed. 

In this way, the liveness proof can be built incrementally on top of the sim- 
ulation proof. 

6.2 Example: Fischer Mutual Exclusion Algorithm 

I consider a version F" of Fischer's algorithm that is similar to the time-bounded 
version F', but instead of the explicit upper bounds of a on the steps, it just has 
eventual upper bounds for each type of step of each individual process. However, 
the upper bound of a on each set; and the lower bound of b on each checki are 
retained, because they are needed to guarantee the safety property (mutual 



exclusion). Formally, F" can be described as an augmented timed automaton 
(F,Lp), where F is the original Fischer algorithm presented in Section 3 and 
Lp is a liveness condition for F giving the eventual bounds for all the non-sei 
steps. 

Similarly, I use a version I" of the intermediate algorithm /', giving eventual 
bounds for the classes seize, stabilize, crit and remi for each i. Formally, by 
removing the time bounds from /', I can obtain a version J having neither time 
bounds nor liveness conditions; then I" can be described as an augmented timed 
automaton (I, L[), where Lj is a liveness condition for I giving eventual bounds 
for all the classes. 

Finally, I use an eventual version M" of M, giving eventual bounds for the 
classes crit and rerrii for each i. Formally, M" can be described as an augmented 
timed automaton (M,Lm), where M is the untimed mutex object presented in 
Section 3 and Lu is a liveness condition for M giving the eventual bounds. Thus, 
the liveness at each level is described using fairness conditions in the usual style 
for I/O automata. 

I carry out the liveness proof in two stages, first showing that every live timed 
trace of I" x U is a live timed trace of M" x U, and then showing that every live 
timed trace of F" x U is also a live timed trace of I" x U. I use the Execution 
Correspondence Lemma for each of these steps. 

First, consider the mapping from I" x U to M" x U. This proof rests on a 
simulation from I x U to M x U. Note that I never actually gave such a simulation, 
but only a timed version, from V x U to M' x U. However, the untimed version 
of this simulation can be derived straightforwardly from the timed version, just 
by dropping the first and last components in the simulation. 

A simple invariant for I x U is useful: 

Lemma 37. The following is true in all reachable states of I x U: If status ^ 
start then region i = try for some i. 

Let q be a live discrete execution of I" xU. Then a is an admissible discrete 
execution of 7 x U. Then by the Execution Correspondence Lemma, get a', a 
corresponding admissible discrete execution of M x U. It suffices to show that a' 
is also a live discrete execution of M" x U. I work by contradiction, supposing 
that a' is not live. There are two liveness conditions that a' can fail to satisfy: 
fairness for the class crit, or fairness for one of the classes remi. I illustrate the 
method by sketching the argument for crit. 

Suppose that the liveness condition for crit fails. Then crit must be enabled 
from some point on in a', but no crit action ever occurs after that point. Since 
crit is enabled from the given point on in a', it follows that region { = try 
for some i and region i ^ crit for all i, from that point on. By the execution 
correspondence, from some corresponding point on in a, no crit action ever 
occurs, and the same region conditions hold. I consider cases. 

1. status = stab occurs sometime after the designated point in a. 

Then Lemma 37 implies that region { = try at that point, for some i. Since no 
crit action ever occurs, this persists. Also, the condition status = stab must 



persist, since the crit actions are the only ones that can change status from 
stab to anything else. Then fairness of a for crit implies that eventually some 
crit action occurs, a contradiction. Therefore, status = stab never occurs. 

2. status = seized occurs sometime after the designated point in a. 

Then this condition persists, since the only action that can cause it to change 
is stabilize, which would lead to status = stab, contradicting the first case. 
But then fairness of a for stabilize implies that eventually stabilize must 
occur, a contradiction. 

3. status = start everywhere after the designated point in a. 

Then the correspondence implies that seize is enabled throughout that por- 
tion of a, so the fairness of a for seize implies that eventually seize occurs. 
But this leads to status = seized, contradicting the second case. 

Next, consider the mapping from F" x U to I" x U. This proof rests on a 
simulation from F xU to I xU. Again, I have only given a timed version of this 
simulation, from F' x U to V x U, but the untimed simulation can be derived 
from the timed version by dropping the first and last components. 

It is possible to use the Execution Correspondence Lemma based on the same 
kind of execution correspondence defined above, but a more efficient approach 
is to define a stronger (but messier) kind of correspondence, also implied by the 
simulations of this paper. This correspondence preserves not only the visible ac- 
tions, but also certain information about internal actions. A little more precisely, 
to each internal step of the implementation automaton, I assign a particular se- 
quence of internal actions of the specification automaton. Provided that, in the 
simulation proof, each internal step of the implementation always corresponds 
to an execution fragment with the assigned sequence, such a correspondence 
also holds for the complete admissible timed executions. That is, an additional 
condition 4 is added to the correspondence definition, saying that, if 7r; + i is an 
internal action, then the execution fragment s',^ ■ ■ ■ sV +1 , contains exactly 
the sequence of internal actions assigned to the step Si -^i Si+i. 

In the current example, I assign the seize action to each set step that changes 
x from to a process index. I assign the stabilize action to each set step occurring 
when no process is in crit or reset, and after which there are no other processes 
with pc — set. Note that both actions can be assigned to the same set step; in 
this case, they are assigned in the order seize, stabilize. The empty sequence is 
assigned to all other internal steps. These assigned sequences of internal actions 
are exactly what is simulated by the given internal steps, in the simulation proof 
I sketched earlier. 

Now for the proof. Let a be a live discrete execution of F" x U. Then a is an 
admissible discrete execution of F x U. Then by the Execution Correspondence 
Lemma (using the stronger correspondence just defined), get a' , a corresponding 
admissible discrete execution of I x U. It suffices to show that a' is also a live 
discrete execution of I" x U. I work by contradiction, supposing that a' is not 
live. There are four liveness conditions that a' can fail to satisfy: fairness for the 
class seize, stab, or crit, or fairness for one of the classes rerrii. 



1. seize 

Suppose that the liveness condition for seize fails. Then seize must be en- 
abled from some point on in a', but no seize action ever occurs after that 
point. Since seize is enabled from the given point on in a', it follows that 
region i — try for some i, region i ^ crit for all i, and status = start, from 
that point on. By the execution correspondence, from some corresponding 
point on in a, the same region conditions hold, either x = or else some 
process has pc = reset, and no set step ever occurs that changes x from to 
a process index. I consider cases. 

(a) A later point p is reached in a where no process is at reset. 

Then it must be that x = at point p, and consequently from that 

point onward. This implies by Lemma 18 that, from point p onward, no 

process is ever at leave-try. 

If a point is reached after p at which some process i is at set, then fairness 

for seti in a implies that a set from to an index eventually occurs, a 

contradiction; therefore, no process is ever at set. 

If a point is reached after p at which some process i is at test, then fairness 

for testi says that testi eventually occurs, and since x stays equal to 0, 

the test succeeds, causing pc { to becomes set, a contradiction. Therefore, 

no process is ever at test. 

The only remaining possibility is that some process i remains at check 

from point p onward. But then fairness for checki in a implies that checki 

eventually occurs, fails because x = 0, and results in process i going to 

test. This is again a contradiction. 

This covers all the possibilities (because some process must be in the 

trying region from point p onward), so this entire case is contradicted. 

(b) At every later point in a, some process is as reset. 

Note that in this fragment, no new process ever reaches reset, because 
no process is ever in the critical region. Then repeated use of fairness for 
reset implies that eventually there is no process at reset, a contradiction. 

2. stabilize: 

Suppose that the liveness condition for stabilize fails. Then stabilize must be 
enabled from some point on in a', but no stabilize action ever occurs after 
that point. Since stabilize is enabled from the given point on in a', it follows 
that status — seized from that point on. By the execution correspondence, 
from some corresponding point on in a, x ^ 0, no process is at crit or reset, 
and some process is at set. Note that in this fragment, no new process ever 
reaches set, because x ^ 0. Then repeated use of fairness for set implies that 
eventually there is no process at set. This is a contradiction. 

3. crit 

Suppose that the liveness condition for crit fails. Then crit must be enabled 
from some point on in a' , but no crit action ever occurs after that point. Since 
crit is enabled from the given point on in a' , it follows that status = stab from 
that point on. By the execution correspondence, from some corresponding 
point on in a, i / 0, no process is at crit or reset, and no process is at 



set. Moreover, no crit action occurs. This implies that x remains equal to 
i for some fixed i. By Lemma 22, it must be that from this point onward, 
this process i must either be at check or leave-try. If it is ever at leave-try, 
then fairness to crit in a easily implies that a crit action eventually occurs, 
a contradiction. So it must be that process i is at check throughout the 
fragment. Then fairness implies that checki eventually occurs, and succeeds 
since x = i. But this leads to pC; = leave-try, which is again a contradiction. 
4. rerrii 

Left to the reader. 

Such a proof can be written more formally using a temporal language that 
allows mention of both states and actions, such as the ones used in [36,40]. 

7 Discussion 

In this paper, I have given a comprehensive survey of simulation methods and 
other related methods for reasoning about timing-based systems. The main con- 
cepts and techniques that I have presented are the following: 

1. The general timed automaton model. 

2. Refinements, forward and backward simulations, and their weak versions. 

3. The special-case MMT model. 

4. Building time, in particular, the current time and timing predictions, into 
the state. 

5. Invariants, especially those involving time predictions. 

6. Milestones. 

7. Progress functions. 

8. Execution correspondence. 

9. Weak fairness for automaton classes. 

I have illustrated these methods with a substantial number of examples. 

I do not mean to claim that simulations provide an all-purpose proof method 
for timing-based systems. Even though there are completeness results for the 
combination of forward and backward simulations, there are important examples 
for which simulations do not provide the most natural proof of correctness. For 
example, some algorithms are best understood as the result of transformations of 
automata that reorder the steps of executions, shifting the part of the execution 
that occurs at one node relative to the part that occurs at another. For examples 
of such algorithms in the timed setting, consider the transformations described 
by Neiger and Toueg [30] and by Chaudhuri et al. [5]. In the untimed setting, 
this style of reasoning occurs in arguments about database concurrency control 
[21], and about synchronizers [2, 7]. It also occurs in arguments about algorithms 
that have the structure of communication-closed layers [9]. 

Several other examples have been verified, or partially verified, using the 
methods of this paper. These include a timed protocol for at-most-once message 
delivery due to Liskov, Shrira and Wroclawski [17]; the proof appears in [36,38]. 



They also include a bounded message queue example designed to show that, 
with certain limitations on the rate of message arrival and message processing, 
the length of a message queue stays bounded. The proof appears in [18]. A 
third example is a timing-based link-state packet distribution protocol designed 
by Perlman [33]; Although efficient in practice, this protocol has bad worst- 
case behavior, which was identified in the course of sketching an analysis using 
simulation methods. 

Future work includes continuing to apply these methods to additional prob- 
lems. Telecommunications and real-time process control are general areas that 
should serve as rich sources for appropriate timing-based algorithms. 

It also remains to systematize and formalize liveness proofs of the sort out- 
lined here. This will probably involve fixing a suitable temporal language and 
logic. 

Finally, proofs of the sort given in this paper appear to be excellent candidates 
for mechanical verification using automatic theorem-provers. Several researchers 
have already done work using automatic theorem-provers to assist in carrying 
out simulation proofs [32,37]. Work in progress [39] involves using the Larch 
Prover [11] to carry out some simple simulation proofs for timing properties. 
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